From owner-freebsd-hackers Tue May 6 19:43:05 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id TAA25497 for hackers-outgoing; Tue, 6 May 1997 19:43:05 -0700 (PDT) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA25476 for ; Tue, 6 May 1997 19:42:59 -0700 (PDT) Message-Id: <199705070242.TAA25476@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA005812850; Wed, 7 May 1997 12:40:51 +1000 From: Darren Reed Subject: Re: divert still broken? To: danny@panda.hilink.com.au (Daniel O'Callaghan) Date: Wed, 7 May 1997 12:40:50 +1000 (EST) Cc: archie@whistle.com, hackers@FreeBSD.ORG In-Reply-To: from "Daniel O'Callaghan" at May 7, 97 08:51:15 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In some mail from Daniel O'Callaghan, sie said: > > > > On Tue, 6 May 1997, Archie Cobbs wrote: > > > Proposal: > > > > deny : drop silently (same as before) > > reject : send ICMP unreachable (same as before) > > [...good proposal snipped..] > > Looks great. > > > Anything else? :-) > > Can't think of anything, offhand. Other than splitting up the ipfw rule > lists so there is a general list and a list per interface. Having > interface lists would speed up searching for rules. attaching them to "struct ifnet *" could be interesting (I looked at doing this long ago but it wasn't "portable" enough to be worth my while). increases the complexity of managing it all though. one list -> one way it can be processed easy to check, easy to manage, easy to verify - in one's head anyway.